sudhakararaog Posted May 20, 2008 Share Posted May 20, 2008 until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql query which worked fine. i have a registration page where a user enters their username and if this already exists i display a message by executing a select query and if the username does not exist then i run an insert query. after adopting the technique to avoid sql injection if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); $email = stripslashes($_POST["email"]); } else { $username = $_POST["username"]; $email = $_POST["email"]; } previously my select and insert query were INSERT INTO individuals(username, email) values('$username', '$email') Select username from individuals where username = '$username' presently the insert query is $insertquery = sprintf("INSERT INTO individuals (username, email) VALUES ('%s', '%s')", mysql_real_escape_string($username), mysql_real_escape_string($email)); This insert query is working however the select query is not doing its task as before of checking if the username already exists or not, even if i register with the same username again it does not alert that the username exists. the select query is $selectqueryusername = sprintf("Select username from individuals where username='%s'", mysql_real_escape_string($username)); should i change the syntax of the above select query or is there something else in need to do to fix the select query. also for insert query if i have a numeric value i should be writting %d correct, i have a numeric value however before inserting that numeric value i am appending a character "-" to combine area code and phone number example 09-123 4567 so i am considering this as %s as there is a character. is this correct. please advice. thanks. Link to comment https://forums.phpfreaks.com/topic/106530-syntax-of-sprintf/ Share on other sites More sharing options...
BlueSkyIS Posted May 20, 2008 Share Posted May 20, 2008 why not: $selectqueryusername = "Select username from individuals where username='".mysql_real_escape_string($username)."'"; Link to comment https://forums.phpfreaks.com/topic/106530-syntax-of-sprintf/#findComment-546093 Share on other sites More sharing options...
MadTechie Posted May 20, 2008 Share Posted May 20, 2008 for the date %s should be fine but you could also do this $isodate = sprintf("%04d-%02d-%02d", $year, $month, $day); as for the username check the query looks fine, could the problem be due to other members being inserted before the update? or the code around it ? Link to comment https://forums.phpfreaks.com/topic/106530-syntax-of-sprintf/#findComment-546129 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.